Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2598
Views
30
Helpful
2
Replies

ISE PSN grace period if connection to PAN is lost

Go to solution
muthumohan
Level 1
Level 1

‎01-20-2022 07:10 PM

Hi All,

 

For how long the PSNs will hold the policies if the PSNs lose their connectivity to both PANs? Is there a grace period? If yes, how long is the default? I could not find any information on this from documentation.

 

Appreciate your help.

 

Thank you,

Mohan

1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-20-2022 08:02 PM

The node won't "lose" it's configuration, but there are two scenarios where a node will need manual intervention when it comes back or is fixed.

The first is if a node is offline for 24 hours or longer. The PAN will stop attempting replication and you will have to visit the deployment page in the admin GUI and perform a manual sync.

The second is tied to other problems in the deployment, but if a node falls more than 1 million replication messages behind then the PAN will disconnect is and similar to the first scenario it will require a manual resync from the deployment view. 


Both of these scenarios though are mild as far as the fix goes if there isn't some other underlying problem, you just need to click "resync" in the deployment view and in about 20-30 minutes your node will be happy again. 

View solution in original post

2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-20-2022 07:16 PM

PSN node Lost connect with PAN, then it holds the information as of now whatever updated and available with PSN, and continue to work as it is. (there are no updates taken plan since you lost PAN), once the connection is restored it will get updated information.

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID59

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-20-2022 08:02 PM

The node won't "lose" it's configuration, but there are two scenarios where a node will need manual intervention when it comes back or is fixed.

The first is if a node is offline for 24 hours or longer. The PAN will stop attempting replication and you will have to visit the deployment page in the admin GUI and perform a manual sync.

The second is tied to other problems in the deployment, but if a node falls more than 1 million replication messages behind then the PAN will disconnect is and similar to the first scenario it will require a manual resync from the deployment view. 


Both of these scenarios though are mild as far as the fix goes if there isn't some other underlying problem, you just need to click "resync" in the deployment view and in about 20-30 minutes your node will be happy again. 

Customers Also Viewed These Support Documents